Skip to main content

Custom Compliance Policies

This walkthrough takes you through the steps to use the Lacework CLI to create a custom compliance policy and adding that policy to a custom report. A compliance policy evaluates resource configuration in your integrated cloud environments with results appear in a daily report. For more information about compliance policies, see Custom Policy Types.

The following steps provide a basic end-to-end workflow to create a custom compliance policy. For additional options when creating queries and policies, see LQL Queries and Policies. Also, this walkthrough omits steps for exploring the data. For a complete end-to-end walkthrough, see CLI Custom Policies.

Create a Query

  1. Open your text editor, create a new file, and add the following content:

    Compliance query
    queryId: LW_Custom_UnrestrictedIngressToTCP3349
    queryText: |-
    source {
    array_to_rows(securityGroup.RESOURCE_CONFIG:IpPermissions) as ip_permissions,
    array_to_rows(ip_permissions:IpRanges) as ip_ranges
    filter {
    ip_permissions:IpProtocol = 'tcp'
    and ip_permissions:FromPort = 3349
    and ip_permissions:ToPort = 3349
    and ip_ranges:CidrIp = ''
    return distinct {
    'This is the compliance reason' as COMPLIANCE_FAILURE_REASON
  2. Save the file as YAML with the filename LW_Custom_UnrestrictedIngressToTCP3349.yaml. Note the file's location.

  3. In the Lacework CLI, run this command:

    lacework query create -f <path_to>/LW_Custom_UnrestrictedIngressToTCP3349.yaml

    The following response appears:

    The query LW_Custom_UnrestrictedIngressToTCP3349 was created.

Create a Policy

  1. In your text editor, create a new file, and add the following content:

    Compliance policy
    title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 3349
    enabled: true
    policyType: Compliance
    alertEnabled: true
    queryId: LW_Custom_UnrestrictedIngressToTCP3349
    description: Security groups should not allow unrestricted ingress to TCP port 3349
    remediation: Policy remediation
    severity: medium
  2. Save the file as YAML with the filename LW_Custom_UnrestrictedIngressToTCP3349_Policy.yaml. Note the file's location.

  3. In the Lacework CLI, run this command:

    lacework policy create -f <path_to>/LW_Custom_UnrestrictedIngressToTCP3349_Policy.yaml

    The following response appears:

    The policy dev-default-75 was created.

Add the Policy to an Assessment


This section describes functionality that is currently in preview.

The policy you just created is not a part of any report yet. To have your policy assessment appear in a report, using the Lacework CLI, create a custom assessment based on an existing one or create a new assessment.

Lacework provides hundreds of compliance policies, grouped by industry benchmarks (PCI, ISO27001, SOC2, HIPAA, and more), which get assessed daily. Choose the assessment on which you want to base your custom assessment with your custom policy. When choosing an assessment, consider that cloud security teams usually care about CIS for Security Posture baseline; compliance teams often care about just one or two industry benchmarks, but not all of them. Lacework assesses all enabled policies and produce assessments for all out-of-the-box benchmarks. Reports generated by those different assessments can be sent to different audiences within your organization.


Currently, a custom report can only contain compliance policy assessments of the same cloud type (that is, only AWS, GCP, or Azure compliance policies).

To add the policy to a custom assessment, follow these steps:

  1. Enter the following command from the command line:
    lacework report-definition create
  2. At the prompt asking whether you want to create a report definition from a blank template or from an existing template, either add your policy to an existing template or create a new assessment, as follows:
    • To add your policy to an existing template, enter y and follow these steps:
      1. Use arrows to scroll through the list of assessments and choose one to serve as your template by highlighting it and pressing the enter key.
      2. In your text editor, modify the reportName, displayName, and add your custom policy by name, dev-default-75, to a section in the template, as shown: Custom compliance assessment by CLI
      3. Save and close the file.
    • To add your policy to a new assessment, enter N and follow the steps as prompted by the CLI.

When you finish the custom configuration, the CLI displays a command for inspecting your new report definition with its unique ID, something like this: Custom compliance assessment by CLI

The compliance policy is now listed in the cloud compliance page, and appears in the next daily compliance report:

Custom compliance policy in a custom report